Vulnerability Note VU#426273

KTH Kerberos filesystem race condition on tickets stored in /tmp

Original Release date: 19 Dec 2000 | Last revised: 11 Jan 2001

Overview

There may be a race condition during the creation of Kerberos ticket files in the /tmp directory. This race condition may allow intruders with local access to the system to gain root privileges.

Description

During the creation of ticket files in the /tmp directory, a sequence of calls occur which may allow a local attacker to replace the ticket file with a symbolic link. If this symbolic link is followed when the ownership of the ticket file is set, the attacker may be able to gain ownership of files initially owned by root.

Impact

On systems where the sticky bit is not set on the /tmp directory, a local attacker can gain ownership of any file on the system. This allows the attacker to gain root privileges.

This attack may also be possible on systems where the /tmp directory does have its sticky bit set, depending on the exact sequence of calls used to create and set the ownership of the Kerberos ticket file.

Solution

Apply a patch from your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected11 Dec 200014 Dec 2000
AppleNot Affected11 Dec 200014 Dec 2000
Compaq Computer CorporationNot Affected11 Dec 200014 Dec 2000
FujitsuNot Affected11 Dec 200011 Jan 2001
IBMNot Affected11 Dec 200014 Dec 2000
MicrosoftNot Affected11 Dec 200014 Dec 2000
BSDIUnknown11 Dec 200014 Dec 2000
CalderaUnknown11 Dec 200014 Dec 2000
Data GeneralUnknown11 Dec 200014 Dec 2000
DebianUnknown11 Dec 200014 Dec 2000
Hewlett PackardUnknown11 Dec 200014 Dec 2000
KTH KerberosUnknown-14 Dec 2000
NetBSDUnknown11 Dec 200014 Dec 2000
OpenBSDUnknown11 Dec 200014 Dec 2000
RedHatUnknown11 Dec 200014 Dec 2000
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.

This document was written by Cory F Cohen.

Other Information

  • CVE IDs: Unknown
  • Date Public: 09 Dec 2000
  • Date First Published: 19 Dec 2000
  • Date Last Updated: 11 Jan 2001
  • Severity Metric: 8.19
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.